HUP cikkturkáló

Hogyan lehet ellopni hirdetői pénzeket? Egy bűnszervezet azzal keresett pénzt, hogy Android appokat vásárolt fel, amelyeknek ténylegesen van felhasználói bázisa. Ezután megfigyelte, eltárolta a felhasználók viselkedését, hogy mire kattintanak, hogyan használják az appot. Ebből aztán programoztak botokat, amelyek pont olyanok, mintha igazi felhasználók lennének. Majd ezeket a botokat ráeresztették az appokra, de együtt az igazi felhasználókkal, így több millió dollár hamis hirdetési bevételt generáltak a botok általi kattintásokból.

Részletek: https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fr…

Editorial: Every #iPhone user is tied to Saudi business interests, like it or not https://t.co/vb9hRRkL9e pic.twitter.com/Ho8Nd6BNkN

— AppleInsider (@appleinsider) October 24, 2018

Az AppleInsider cikke itt.

location /static {
    alias /home/app/static/
}

esetén http://127.0.0.1/static../config.py lekéréssel olvasható a /home/app/config.py fájl.

(Teszteltem a jelenleg aktuális 1.15.5 verzióval)

location /static/ {-ra javítva elkerülhető a "hiba"

Elvileg by-design ilyen (bár nem látok erre valós use-case-t), emiatt nem lesz javítva, szóval mindenki csekkolja a configjait :)

Forrás: https://twitter.com/x0rz/status/1052899891624710145

FreeRTOS is a market leading, de-facto standard for embedded systems that has been ported to over 40 microcontrollers, which are being used in IoT, aerospace, medical, automotive industries, and more.

In November 2017, Amazon Web Services (AWS) took stewardship for the FreeRTOS kernel and its components.

Ori Karliner, a security researcher at Zimperium Security Labs (zLabs), discovered a total of 13 vulnerabilities in FreeRTOS's TCP/IP stack that also affect its variants maintained by Amazon and WHIS.

These vulnerabilities allow an attacker to crash the device, leak information from the device’s memory, and remotely execute code on it, thus completely compromising it.

https://blog.zimperium.com/freertos-tcpip-stack-vulnerabilities-put-wid…
https://thehackernews.com/2018/10/amazon-freertos-iot-os.html

CVE-2018-10933 Base Score 9.8

By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.

https://www.libssh.org/2018/10/16/libssh-0-8-4-and-0-7-6-security-and-b…

Szívesen megnéztem volna a fejlesztők arcát, amikor megkapják a bug reportot...

Oops! An Error Occurred
The server returned a "500 Internal Server Error".
Something is broken. Please let us know what you were doing when this error occurred. We will fix it as soon as possible. Sorry for any inconvenience caused.

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-chi…

https://kiber.blog.hu/2018/10/04/tobbezer_magyarorszagon_mukodo_tp-link…

Aki hajbazer kollégára számított, azoktól bocsánatot kérek. :)

Nikita Prokopov (Tonsky) írt egy nagyon jó blogbejegyzést a bloat témájáról. A megfogalmazása és érthetősége sokkal jobb, mint hajbazer dobálózása itt a HUP-on. (Lehet tanulni a normális megfogalmazást és nem csak dobálózni kellene azzal, hogy az XP jobb...)

http://tonsky.me/blog/disenchantment/

Egy-két dologgal azért én magam sem értek egyet, mint például amikor a Windows 95 és a Windows 10-et olyan egyszerűen hasonlítja össze, hogy mind a kettő ugyanazt csinálja mégis 133-szor nagyobb a 10 mérete.

Nemreg kaptam levelben.

Currys PC World

Dear Customer

On June 13 2018, we began to contact a number of our customers as a precaution after we found that some of our security systems had been accessed in the past using sophisticated malware.

We promptly launched an investigation. Since then we have been putting further security measures in place to safeguard customer information, increased our investment in cyber security and added additional controls. In all of this we have been working intensively with leading cyber security experts.

Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017. This unauthorised access to data may include personal information such as name, address, phone number, date of birth and email address.

While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and we have no confirmed instances of customers falling victim to fraud as a result. We are continuing to keep the relevant authorities updated.

As a precaution, we are letting our customers know to apologise and advise them of protective steps to take to minimise the risk of fraud. These include:
If you receive an unsolicited email, letter, text or phone call asking for personal information, never reveal any full passwords, login details or account numbers until you are certain of the identity of the person making the request. Please do not click on any links you do not recognise.
If you think you have been a victim of fraud you should report it to Action Fraud, the UK’s national fraud and internet crime reporting centre, on 0300 123 2040*.
We also recommend that people are vigilant against any suspicious activity on their bank accounts and contact their financial provider if they have concerns.
You can find more information here

We take the security of your data extremely seriously and have previously announced that we have taken action to close off this access and have no evidence it is continuing. Nevertheless, we felt it was important to let customers know as soon as possible.

We continue to make improvements and investments to our security systems and we’ve been working round the clock to put this right. We’re extremely sorry about what has happened – we’ve fallen short here. We want to reassure you that we are fully committed to protecting your data so that you can be confident that it is safe with us.

Yours sincerely,

Antreas Athanassopoulos
Dixons Carphone Chief Customer Officer